polyfill.io supply chain #603
Comments
|
This group really doesn't have any purview into this kind of issue. The only thing I think we could do is help elevate the message that using 3rd party CDN's, no matter the reasoning, is a security risk and should be avoided. Same goes for things loaded from https imports in esm, if you load from a 3rd party that is a security risk you need to understand before doing it. |
|
I agree - this is an application concern, not a package concern. It's also worth noting that "host your own assets" has been a widely spread best practice for over a decade (as is not deploying directly from the public npm registry). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should we discuss the situation around polyfill.io?
Subj:
https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know
Background:
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
Potential npm packages which inject this code in runtime:
What I personally think: maybe we should try to suspend from Node.js community side new owners at GitHub as potentially malicious distributor.
It looks like the new owners are deleting all issues related to the situation:
The text was updated successfully, but these errors were encountered: